Maryland 2022 Regular Session

Maryland Senate Bill SB810 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1
2	2
3	3	EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4	4	[Brackets] indicate matter deleted from existing law.
5	5	sb0810
6	6
7	7	SENATE BILL 810
8	8	S2, E4, C5 2lr2965
9	9
10	10	By: Senator Hester
11	11	Introduced and read first time: February 7, 2022
12	12	Assigned to: Finance
13	13
14	14	A BILL ENTITLED
15	15
16	16	AN ACT concerning 1
17	17
18	18	Cybersecurity – Critical Infrastructure and Public Service Companies 2
19	19	(Critical Infrastructure Security Act of 2022) 3
20	20
21	21	FOR the purpose of authorizing the Department of Emergency Management to take action 4
22	22	to reduce the disaster risk and vulnerability of critical infrastructure; establishing 5
23	23	the Critical Infrastructure Cybersecurity Grant Program in the Department to 6
24	24	leverage certain funds to make cybersecurity improvements to critical 7
25	25	infrastructure; altering the duties and staffing requirements of the Public Service 8
26	26	Commission to include cybersecurity; authorizing the Office of People’s Counsel to 9
27	27	retain or hire an expert in cybersecurity; requiring certain public service companies 10
28	28	to adopt certain cybersecurity best practices, protect certain information, include 11
29	29	certain language in certain contracts, and establish certain security standards for 12
30	30	certain technology devices, data, and personally identifiable information; requiring 13
31	31	certain regulations on service quality and reliability standards for electric companies 14
32	32	and gas companies to include cyber resiliency; and generally relating to cybersecurity 15
33	33	risk protection of critical infrastructure and public service companies. 16
34	34
35	35	BY repealing and reenacting, with amendments, 17
36	36	Article – Public Safety 18
37	37	Section 14–101, 14–102(a), and 14–103 19
38	38	Annotated Code of Maryland 20
39	39	(2018 Replacement Volume and 2021 Supplement) 21
40	40
41	41	BY adding to 22
42	42	Article – Public Safety 23
43	43	Section 14–118 24
44	44	Annotated Code of Maryland 25
45	45	(2018 Replacement Volume and 2021 Supplement) 26
46	46
47	47	BY repealing and reenacting, without amendments, 27
48	48	Article – Public Utilities 28 2 SENATE BILL 810
49	49
50	50
51	51	Section 1–101(a) and 7–213(d) 1
52	52	Annotated Code of Maryland 2
53	53	(2020 Replacement Volume and 2021 Supplement) 3
54	54
55	55	BY adding to 4
56	56	Article – Public Utilities 5
57	57	Section 1–101(h–1) through (h–3) and 5–305 6
58	58	Annotated Code of Maryland 7
59	59	(2020 Replacement Volume and 2021 Supplement) 8
60	60
61	61	BY repealing and reenacting, with amendments, 9
62	62	Article – Public Utilities 10
63	63	Section 2–108(d), 2–113(a), 2–203(f), and 7–213(e)(1) 11
64	64	Annotated Code of Maryland 12
65	65	(2020 Replacement Volume and 2021 Supplement) 13
66	66
67	67	SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 14
68	68	That the Laws of Maryland read as follows: 15
69	69
70	70	Article – Public Safety 16
71	71
72	72	14–101. 17
73	73
74	74	(a) In this title the following words have the meanings indicated. 18
75	75
76	76	(B) “CRITICAL INFRASTRUCTU RE” MEANS SYSTEMS AND ASSETS , WHETHER 19
77	77	PHYSICAL OR VIRTUAL , THAT ARE SO VITAL TO THE STATE THAT THE INCAPA CITY 20
78	78	OR DESTRUCTION OF THE SYSTEM OR ASSET WOULD HAVE A D EBILITATING IMPACT 21
79	79	ON ANY ONE OR COMBINATI ON OF THE FOLLOWING : 22
80	80
81	81	(1) SECURITY; 23
82	82
83	83	(2) ECONOMIC SECURITY ; 24
84	84
85	85	(3) PUBLIC HEALTH ; OR 25
86	86
87	87	(4) PUBLIC SAFETY. 26
88	88
89	89	(C) (1) “CYBERSECURITY ” MEANS PROCESSES OR CAPABIL ITIES IN 27
90	90	WHICH SYSTEMS, COMMUNICATIONS , AND INFORMATION ARE PROTECTED AND 28
91	91	DEFENDED AGAINST DAM AGE, UNAUTHORIZED USE OR MODIFICATION , AND 29
92	92	EXPLOITATION . 30
93	93
94	94	(2) “CYBERSECURITY ” INCLUDES PROTECTING THE AVAILABILITY , 31
95	95	INTEGRITY, AUTHENTICATION , CONFIDENTIALITY , AND NONREPUDIATION O F 32 SENATE BILL 810 3
96	96
97	97
98	98	INFORMATION . 1
99	99
100	100	[(b)] (D) “Department” means the Maryland Department of Emergency 2
101	101	Management. 3
102	102
103	103	[(c)] (E) “Emergency” means the imminent threat or occurrence of severe or 4
104	104	widespread loss of life, injury, or other health impacts, property damage or destruction, 5
105	105	social or economic disruption, or environmental degradation from natural, technological, or 6
106	106	human–made causes. 7
107	107
108	108	[(d)] (F) (1) “Emergency management” means the planning, implementing, 8
109	109	and conducting of risk reduction and consequence management activities across the 9
110	110	mission areas of prevention, protection, mitigation, response, and recovery to enhance 10
111	111	preparedness, save lives, preserve public health and safety, protect public and private 11
112	112	property, and minimize or repair injury and damage that results or may result from 12
113	113	emergencies. 13
114	114
115	115	(2) “Emergency management” does not include the preparation for and 14
116	116	carrying out of functions in an emergency for which military forces are primarily 15
117	117	responsible. 16
118	118
119	119	[(e)] (G) “Local organization for emergency management” means an 17
120	120	organization established by a political subdivision or other local authority under § 14–109 18
121	121	of this subtitle. 19
122	122
123	123	[(f)] (H) “Political subdivision” means a county or municipal corporation of the 20
124	124	State. 21
125	125
126	126	[(g)] (I) “Secretary” means the Secretary of Emergency Management. 22
127	127
128	128	(J) “SECURITY BY DESIGN ” MEANS THE CONSIDERATION OF 23
129	129	CYBERSECURITY RISKS IN EVERY PHASE OF A PROJECT. 24
130	130
131	131	[(h)] (K) “Senior elected official” means: 25
132	132
133	133	(1) the mayor; 26
134	134
135	135	(2) the county executive; 27
136	136
137	137	(3) for a county that does not have a county executive, the president of the 28
138	138	board of county commissioners or county council or other chief executive officer of the 29
139	139	county; or 30
140	140
141	141	(4) for a municipal corporation that does not have a mayor, the burgess, 31
142	142	chairperson, or president of the municipal governing body or other chief executive officer of 32
143	143	the municipal corporation. 33 4 SENATE BILL 810
144	144
145	145
146	146
147	147	14–102. 1
148	148
149	149	(a) To ensure that the State will be adequately prepared to deal with emergencies, 2
150	150	to protect the public peace, health, and safety in the State, to preserve the lives and 3
151	151	property of the people of the State, and to ensure the social and economic resilience of the 4
152	152	State, it is necessary to: 5
153	153
154	154	(1) establish a Maryland Department of Emergency Management; 6
155	155
156	156	(2) authorize the establishment of local organizations for emergency 7
157	157	management in the political subdivisions; 8
158	158
159	159	(3) confer on the Governor and on the senior elected officials or governing 9
160	160	bodies of the political subdivisions the emergency powers provided in this subtitle; 10
161	161
162	162	(4) provide for the rendering of mutual aid among the political subdivisions 11
163	163	and with other states in carrying out emergency management functions; [and] 12
164	164
165	165	(5) authorize a comprehensive emergency management system that 13
166	166	empowers all State departments and agencies to systematically prepare for, mitigate, 14
167	167	respond to, and recover from potential or actual emergencies through risk reduction and 15
168	168	consequence management; AND 16
169	169
170	170	(6) AUTHORIZE THE DEPARTMENT TO ESTABLI SH A GRANT PROGRAM 17
171	171	FOR THE PROTECTION O F CRITICAL INFRASTRUCT URE. 18
172	172
173	173	14–103. 19
174	174
175	175	(a) There is a Maryland Department of Emergency Management established as a 20
176	176	principal department of the Executive Branch of State government. 21
177	177
178	178	(b) The Department has primary responsibility and authority for developing 22
179	179	emergency management policies and is responsible for coordinating disaster risk reduction, 23
180	180	consequence management, and disaster recovery activities. 24
181	181
182	182	(c) The Department may act to: 25
183	183
184	184	(1) reduce the disaster risk and vulnerability of persons, CRITICAL 26
185	185	INFRASTRUCTURE , and property located in the State; 27
186	186
187	187	(2) develop and coordinate emergency planning and preparedness; and 28
188	188
189	189	(3) coordinate emergency management activities and operations: 29
190	190
191	191	(i) relating to an emergency that involves two or more State 30 SENATE BILL 810 5
192	192
193	193
194	194	agencies; 1
195	195
196	196	(ii) between State agencies and political subdivisions; 2
197	197
198	198	(iii) with local governments; 3
199	199
200	200	(iv) with agencies of the federal government and other states; and 4
201	201
202	202	(v) with private and nonprofit entities. 5
203	203
204	204	14–118. 6
205	205
206	206	(A) IN THIS SECTION, “PROGRAM” MEANS THE CRITICAL INFRASTRUCTURE 7
207	207	CYBERSECURITY GRANT PROGRAM. 8
208	208
209	209	(B) THERE IS A CRITICAL INFRASTRUCTURE CYBERSECURITY GRANT 9
210	210	PROGRAM IN THE DEPARTMENT . 10
211	211
212	212	(C) THE PURPOSE OF THE PROGRAM IS TO LEVERAGE FUNDS AVAIL ABLE 11
213	213	FROM FEDERAL , STATE, AND LOCAL GRANT PROG RAMS TO MAKE CYBERSECURIT Y 12
214	214	IMPROVEMENTS TO CRIT ICAL INFRASTRUCTURE . 13
215	215
216	216	(D) THE DEPARTMENT SHALL : 14
217	217
218	218	(1) ADMINISTER THE PROGRAM; 15
219	219
220	220	(2) ESTABLISH APPLICATIO N PROCEDURES FOR THE PROGRAM; AND 16
221	221
222	222	(3) AWARD GRANTS FROM TH E PROGRAM. 17
223	223
224	224	(E) (1) IN DETERMINING THE TYPES OF CYBERSECURI TY IMPROVEMENTS 18
225	225	AND RECIPIENTS ELIGIBLE FOR GRANTS UNDER THE PROGRAM, THE DEPARTMENT 19
226	226	SHALL: 20
227	227
228	228	(I) CONSULT WITH ELECTRIC COMPANIES , GAS COMPANIES , 21
229	229	WATER UTILITIES , STATE AGENCIES, AND POLITICAL SUBDIV ISIONS TO: 22
230	230
231	231	1. IDENTIFY CURRENT AND FORESEEA BLE 23
232	232	CYBERSECURITY RISKS TO THE STATE’S ELECTRIC GRID , NATURAL GAS 24
233	233	INFRASTRUCTURE , AND WATER AND SEWER SYSTEMS; AND 25
234	234
235	235	2. PREPARE A REPORT ON THE CYBERSECURITY RISKS 26
236	236	IDENTIFIED UNDER ITE M 1 OF THIS ITEM; 27
237	237	6 SENATE BILL 810
238	238
239	239
240	240	(II) IDENTIFY FUNDING TO F UND THE GRANTS AWARDED U NDER 1
241	241	THE PROGRAM; AND 2
242	242
243	243	(III) DEVELOP CRITERIA FOR SELECTING GRANT RECIPIENTS 3
244	244	BASED ON A GRANT APPLICANT’S CYBERSECURITY RISK . 4
245	245
246	246	(2) ON OR BEFORE DECEMBER 1, 2022, THE DEPARTMENT SHALL 5
247	247	SUBMIT THE REPORT PR EPARED UNDER PARAGRA PH (1)(I)2 OF THIS SUBSECTION 6
248	248	TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 7
249	249	GOVERNMENT ARTICLE, THE GENERAL ASSEMBLY. 8
250	250
251	251	(F) THE DEPARTMENT SHALL : 9
252	252
253	253	(1) REQUIRE EACH GRANT R ECIPIENT TO DEVELOP PROCESSES TO 10
254	254	ADDRESS CYBERSECURIT Y RISKS AND SUBMIT A REPORT ON IMPLEMENTED 11
255	255	PROCESSES TO THE DEPARTMENT ; AND 12
256	256
257	257	(2) REQUIRE GRANT RECIPIE NTS THAT MODERNIZE OR IMPROVE THE 13
258	258	RESILIENCE OF ELECTRIC GRIDS , NATURAL GAS INFRASTR UCTURE, OR WATER AND 14
259	259	SEWER SYSTEMS TO: 15
260	260
261	261	(I) SUBMIT A REPORT ON IMPLEMENTED SECURITY BY DESIGN 16
262	262	PRINCIPLES TO THE DEPARTMENT ; AND 17
263	263
264	264	(II) ESTABLISH A CYBERSEC URITY PLAN THAT ADDR ESSES 18
265	265	CYBERSECURITY RISKS IN POLICY, SOFTWARE DEVELOPMEN T, HARDWARE , AND 19
266	266	NETWORKS. 20
267	267
268	268	Article – Public Utilities 21
269	269
270	270	1–101. 22
271	271
272	272	(a) In this division the following words have the meanings indicated. 23
273	273
274	274	(H–1) “CYBER RESILIENCY ” MEANS THE ABILITY TO ANTICIPATE, WITHSTAND, 24
275	275	RECOVER FROM , AND ADAPT TO ADVERSE CONDITIONS, STRESSES, ATTACKS, OR 25
276	276	COMPROMISES ON SYSTE MS THAT USE OR ARE E NABLED BY A CYBER RESOURCE . 26
277	277
278	278	(H–2) “CYBER RESOURCE ” MEANS AN INFORMATION SOURCE THAT : 27
279	279
280	280	(1) CREATES, STORES, PROCESSES, MANAGES, TRANSMITS, OR 28
281	281	DISPOSES OF INFORMAT ION IN AN ELECTRONIC FORMAT; AND 29
282	282
283	283	(2) CAN BE ACCESSED BY A NETWORK OR BY USING NETWORKING 30 SENATE BILL 810 7
284	284
285	285
286	286	METHODS. 1
287	287
288	288	(H–3) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 14–101 OF THE 2
289	289	PUBLIC SAFETY ARTICLE. 3
290	290
291	291	2–108. 4
292	292
293	293	(d) (1) The State budget shall provide sufficient money for the Commission to 5
294	294	hire, develop, and organize a staff to perform the functions of the Commission, including 6
295	295	analyzing data submitted to the Commission and participating in proceedings as provided 7
296	296	in § 3–104 of this article. 8
297	297
298	298	(2) (i) As the Commission considers necessary, the Commission shall 9
299	299	hire experts including economists, cost of capital experts, rate design experts, accountants, 10
300	300	engineers, transportation specialists, and lawyers. 11
301	301
302	302	(ii) To assist in the regulation of intrastate hazardous liquid 12
303	303	pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 13
304	304	at least one engineer who specializes in the storage of and the transportation of hazardous 14
305	305	liquid materials by pipeline. 15
306	306
307	307	(3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 16
308	308	EMPLOYEES DEDICATED TO C YBERSECURITY POLICY , STRATEGY, AUDITING, AND 17
309	309	REPORTING. 18
310	310
311	311	(4) The Commission may retain on a case by case basis additional experts 19
312	312	as required for a particular matter. 20
313	313
314	314	[(4)] (5) The lawyers who represent the Commission staff in proceedings 21
315	315	before the Commission shall be appointed by the Commission and shall be organized and 22
316	316	operate independently of the office of General Counsel. 23
317	317
318	318	[(5)] (6) (i) As required, the Commission shall hire public utility law 24
319	319	judges. 25
320	320
321	321	(ii) Public utility law judges are a separate organizational unit and 26
322	322	shall report directly to the Commission. 27
323	323
324	324	[(6)] (7) The Commission shall hire personal staff members for each 28
325	325	commissioner as required to provide advice, draft proposed orders and rulings, and perform 29
326	326	other personal staff functions. 30
327	327
328	328	[(7)] (8) Subject to § 3–104 of this article, the Commission may delegate 31
329	329	to a commissioner or personnel the authority to perform an administrative function 32
330	330	necessary to carry out a duty of the Commission. 33
331	331	8 SENATE BILL 810
332	332
333	333
334	334	[(8)] (9) (i) Except as provided in subparagraph (ii) of this paragraph 1
335	335	or otherwise by law, all personnel of the Commission are subject to the provisions of the 2
336	336	State Personnel and Pensions Article. 3
337	337
338	338	(ii) The following are in the executive service, management service, 4
339	339	or are special appointments in the State Personnel Management System: 5
340	340
341	341	1. each commissioner of the Commission; 6
342	342
343	343	2. the Executive Director; 7
344	344
345	345	3. the General Counsel and each assistant general counsel; 8
346	346
347	347	4. the Executive Secretary; 9
348	348
349	349	5. the commissioners’ personal staff members; 10
350	350
351	351	6. the chief public utility law judge; and 11
352	352
353	353	7. each license hearing officer. 12
354	354
355	355	2–113. 13
356	356
357	357	(a) (1) The Commission shall: 14
358	358
359	359	(i) supervise and regulate the public service companies subject to 15
360	360	the jurisdiction of the Commission to: 16
361	361
362	362	1. ensure their operation in the interest of the public; and 17
363	363
364	364	2. promote adequate, economical, and efficient delivery of 18
365	365	utility services in the State without unjust discrimination; and 19
366	366
367	367	(ii) enforce compliance with the requirements of law by public 20
368	368	service companies, including requirements with respect to financial condition, 21
369	369	capitalization, franchises, plant, manner of operation, rates, and service. 22
370	370
371	371	(2) In supervising and regulating public service companie s, the 23
372	372	Commission shall consider: 24
373	373
374	374	(i) the public safety; 25
375	375
376	376	(ii) the economy of the State; 26
377	377
378	378	(iii) the maintenance of fair and stable labor standards for affected 27
379	379	workers; 28
380	380	SENATE BILL 810 9
381	381
382	382
383	383	(iv) the conservation of natural resources; 1
384	384
385	385	(v) the preservation of environmental quality, including protection 2
386	386	of the global climate from continued short–term and long–term warming based on the best 3
387	387	available scientific information recognized by the Intergovernmental Panel on Climate 4
388	388	Change; [and] 5
389	389
390	390	(vi) the achievement of the State’s climate commitments for reducing 6
391	391	statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 7
392	392	Environment Article; AND 8
393	393
394	394	(V) THE CYBERSECURITY RISKS FACED BY PUBLI C SERVICE 9
395	395	COMPANIES IN THE STATE. 10
396	396
397	397	2–203. 11
398	398
399	399	(f) The Office of People’s Counsel may retain as necessary for a particular matter 12
400	400	or hire experts in the field of: 13
401	401
402	402	(1) utility regulation, including cost of capital experts, rate design experts, 14
403	403	accountants, economists, engineers, transportation specialists, and lawyers; [and] 15
404	404
405	405	(2) climate change, including meteorologists, oceanographers, ecologists, 16
406	406	foresters, geologists, seismologists, botanists, and experts in any other field of science that 17
407	407	the People’s Counsel determines is necessary; AND 18
408	408
409	409	(3) CYBERSECURITY . 19
410	410
411	411	5–305. 20
412	412
413	413	(A) IN THIS SECTION, “ZERO TRUST” MEANS A CYBERSECURIT Y APPROACH: 21
414	414
415	415	(1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 22
416	416
417	417	(2) BASED ON THE PREMISE THAT TRU ST IS NEVER GRANTED 23
418	418	IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 24
419	419
420	420	(B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 25
421	421	IS: 26
422	422
423	423	(1) A COMMON CARRIER ; OR 27
424	424
425	425	(2) A TELEPHONE COMPANY . 28
426	426
427	427	(C) EACH PUBLIC SERVICE C OMPANY SHALL : 29 10 SENATE BILL 810
428	428
429	429
430	430
431	431	(1) ADOPT CYBERSECURITY BEST PRACTICES , INCLUDING 1
432	432	IMPLEMENTING ZERO TR UST PRINCIPLES; 2
433	433
434	434	(2) PROTECT PERSONALLY I DENTIFIABLE INFORMAT ION OF 3
435	435	CUSTOMERS AND EMPLOY EES; 4
436	436
437	437	(3) INCLUDE IN CONTRACTS WITH THIRD –PARTY INFORMATION 5
438	438	TECHNOLOGY OR OPERAT IONAL TECHNOLOGY PRO VIDERS PROVISIONS RE QUIRING 6
439	439	THE THIRD–PARTY PROVIDERS TO : 7
440	440
441	441	(I) COLLECT AND PRE SERVE DATA FOR CYBER SECURITY 8
442	442	ANALYSIS; AND 9
443	443
444	444	(II) SHARE THAT DATA AND REPORT ANY CYBERSECU RITY 10
445	445	BREACHES TO THE PUBL IC SERVICE COMPANY ; 11
446	446
447	447	(4) ESTABLISH MINIMUM SE CURITY STANDARDS FOR INFORMATION 12
448	448	TECHNOLOGY AND OPERA TIONAL TECHNOLOGY DE VICES; AND 13
449	449
450	450	(5) ENCRYPT AND CREATE M INIMUM SECURITY STAN DARDS FOR 14
451	451	DATA AND PERSONALLY IDENTIFIABLE INFORMA TION HELD BY THE PUBLIC 15
452	452	SERVICE COMPANY . 16
453	453
454	454	7–213. 17
455	455
456	456	(d) On or before July 1, 2012, the Commission shall adopt regulations that 18
457	457	implement service quality and reliability standards relating to the delivery of electricity to 19
458	458	retail customers by electric companies through their distribution systems, using: 20
459	459
460	460	(1) SAIFI; 21
461	461
462	462	(2) SAIDI; and 22
463	463
464	464	(3) any other performance measurement that the Commission determines 23
465	465	to be reasonable. 24
466	466
467	467	(e) (1) The regulations adopted under subsection (d) of this section shall: 25
468	468
469	469	(i) include service quality and reliability standards, including 26
470	470	standards relating to: 27
471	471
472	472	1. service interruption; 28
473	473
474	474	2. downed wire response; 29 SENATE BILL 810 11
475	475
476	476
477	477
478	478	3. customer communications; 1
479	479
480	480	4. vegetation management; 2
481	481
482	482	5. periodic equipment inspections; 3
483	483
484	484	6. annual reliability reporting; [and] 4
485	485
486	486	7. CYBER RESILIENCY ; AND 5
487	487
488	488	8. any other standards established by the Commission; 6
489	489
490	490	(ii) account for major outages caused by events outside the control of 7
491	491	an electric company; and 8
492	492
493	493	(iii) for an electric company that fails to meet the applicable service 9
494	494	quality and reliability standards, require the electric company to file a corrective action 10
495	495	plan that details specific actions the company will take to meet the standards. 11
496	496
497	497	SECTION 2. AND BE IT FURTHER ENACTED, That on or before June 31, 2023, 12
498	498	the Public Service Commission shall update the regulations adopted under § 7–213(d) of 13
499	499	the Public Utilities Article to include service quality and reliability standards for cyber 14
500	500	resiliency. 15
501	501
502	502	SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect June 16
503	503	1, 2022. 17